Consider not using SHA-1 as default

[MarvinHannott]

Due to the discovered collission of SHA-1, I think SHA-256 (which is used by Google Authenticator) should be the default algorithm for generating OTPs.

Also you might consider adding a function for constant time verification of OTPs. Otherwise many people just use standard comparison which opens up timing attacks.

[daegalus]

Ya, only reason I defaulted to SHA-1 was thats what was in the RFC when i was building this. I will look into switching to sha-256. Might need to make a major version bump since its a breaking change for people currently using it with SHA-1.

Definitely a good point on the constant time verification. I will add that.

Might take me a bit to get these changes in, currently going through a interstate move, so my free coding time is non-existent.

[daegalus]

Just wanted to give you a heads up, 99.9% of the work is done and in the v2.0.0 branch of the repo. I currently am trying to figure out the constant time verification. Mostly fighting dartvm optimizations.

Right now i have to warmup the stopwatch during the test to avoid it skewing the first timing of it. I got it down to 2-3 microseconds for comparing the same OTP and 2 different OTPs. and they usually have 0-1 microseconds difference, on rare occasion 2. But the issue is its consistently the different OTPs that take 1 microsecond longer than the 2 same OTPs. which doesn't solve this issue.

Not sure if 1 consistent microsecond is good enough. Sometimes they are the same. and on super rare occasion the Same OTPs are like 3-4 microseconds slower than the different OTPS, but it happens maybe once out of 20 compares.

I'll look into if its possible to get it even better. I wrote 3 different ways of comparing, and this was the fastest and most consistent.

Sorry for the delays on both requests.